On-car-data recording apparatus and in-train-image data managing system

ABSTRACT

An on-car-data recording apparatus mounted on a train to record image data, which is data of a video or an image photographed by an image pickup apparatus set in the train, including: a secret-key retaining unit that retains a secret key paired with a public key for electronic signature for which certification by a certification authority is completed, a train-specific-information managing unit that manages information specific to the own train capable of specifying a traveling position of the own train, an electronic-signature generating unit that integrates, the image data and the information managed by the train-specific-information managing unit, calculates a hash value of obtained integrated data, and generates an electronic signature on the basis of the calculated hash value and the secret key, and an image data managing unit that retains the generated electronic signature and the image data used in generating the electronic signature in association with each other.

FIELD

The present invention relates to an on-car-data recording apparatusmounted on a train of a railroad system and to an electronic signaturesystem for trains.

BACKGROUND

In recent years, there has been examined a system in which a camera formonitoring is attached in a car of a railroad system and data obtainedby photographing a congestion situation and the like in the car(hereinafter referred to as “image data”) is transferred to displayapparatuses set in a motorman's cab, a conductor's compartment, and thelike to enable a motorman and a conductor to easily check a situation inthe car.

When the camera for monitoring is attached in the car as explainedabove, crime prevention in the car can be expected. When a crimeactually occurs in the car, it is likely that the data photographed bythe camera can be used as a proof and an evidence of the crime. However,because the image data is in a digital format, contents of the imagedata can be easily altered. Reliability of the image data is a problem.As measures against such a problem, there is a technology for performingan electronic signature on photographed image data to thereby guaranteereliability of the data (a proof that the data is not altered) (e.g.,Patent Literature 1).

CITATION LIST Patent Literature

Patent Literature 1: Japanese Patent Application Laid-Open No.2007-81596

SUMMARY Technical Problem

In the case of data photographed in a train, to adopt the data as, forexample, an evidence in a trial, it is likely that importance is placednot only on whether data is simply not altered but also where the datais photographed. Therefore, simply by performing the electronicsignature on the image data, although it is guaranteed that the data isnot altered, there is a problem in that it is likely that the data isnot useful when importance is placed on a photographing time and aphotographing place (where the train was traveling when the data wasphotographed).

The present invention has been devised in view of the above and it is anobject of the present invention to obtain an on-car-data recordingapparatus and an in-train-image data managing system capable ofguaranteeing reliability of videos and images photographed in a trainand storing the videos and the images in a state in which photographingplaces can be specified.

Solution to Problem

To solve the problems and achieve the object, the present inventionprovides an on-car-data recording apparatus mounted on a train to recordimage data, which is data of a video or an image photographed by animage pickup apparatus set in the train, the on-car-data recordingapparatus including: a secret-key retaining unit that retains a secretkey paired with a public key for electronic signature for whichcertification by a certification authority is completed; atrain-specific-information managing unit that manages informationspecific to the own train capable of specifying a traveling position ofthe own train; an electronic-signature generating unit that integrates,every time the image data is generated by the image pickup apparatus,the generated image data and train specific information, which is theinformation managed by the train-specific-information managing unit,calculates a hash value of obtained integrated data, and generates anelectronic signature on the basis of the calculated hash value and thesecret key; and a image data managing unit that retains the electronicsignature generated by the electronic-signature generating unit and theimage data used in generating the electronic signature in associationwith each other.

ADVANTAGEOUS EFFECTS OF INVENTION

According to the present invention, it is possible to discriminatewhether the image data is not altered and manage the image data in astate in which it is possible to specify when and where the image datais photographed.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram showing an application example of an in-train-imagedata managing system.

FIG. 2 is a diagram showing a configuration example of an on-car-datarecording apparatus.

FIG. 3 is a diagram showing a configuration example of a groundapparatus.

FIG. 4 is a diagram showing an overview of an electronic-certificatemanaging operation.

FIG. 5 is a diagram showing an overview of an electronic signatureoperation.

FIG. 6 is a flowchart for explaining an operation example of theon-car-data recording apparatus.

FIG. 7 is a diagram showing an overview of an electronic-signatureverifying operation.

FIG. 8 is a flowchart for explaining an example of theelectronic-signature verifying operation in the ground apparatus.

DESCRIPTION OF EMBODIMENTS

An embodiment of an on-car-data recording apparatus and anin-train-image data managing system according to the present inventionis explained in detail below with reference to the drawings. Note thatthe present invention is not limited by the embodiment.

Embodiment

FIG. 1 is a diagram showing a configuration example of a railroad systemapplied with an in-train-image data managing system according to thepresent invention. The in-train-image data managing system includes anon-car-data recording apparatus 2 mounted on a car 1 of a train and aground apparatus 3 set on the ground. The on-car-data recordingapparatus 2 is mounted on, for example, a head car 1. The on-car-datarecording apparatus 2 is connected to a central apparatus 11. Thecentral apparatus 11 is connected to terminals 12 set in cars 1 via atrunk transmission path (inter-car transmission path) disposed acrosscarts. One or more cameras 13 functioning as image pickup apparatusesare connected to the terminals 12 of the cars 1 via branch transmissionpaths (in-car transmission paths). Note that, although not describedherein, various apparatuses (e.g., air conditioners, lightingapparatuses, brake apparatuses, and display apparatuses) other than thecameras are also connected to the terminals 12. The central apparatus 11is connected to a communication apparatus 14 and configured to becapable of communicating with the ground apparatus 3 via thecommunication apparatus 14. Note that the communication apparatus 14communicates with the ground apparatus 3 via a radio base station set ina station, beside a railroad, or the like.

The central apparatus 11 and the terminals 12 configure atrain-information managing apparatus. The central apparatus 11 collectsinformation from train-mounted apparatuses such as air conditioners,brake apparatuses, and motors set in the cars via the trunk transmissionpath, the terminals 12, and the branch transmission paths and managesthe information and controls the train-mounted apparatuses. The centralapparatus 11 controls the train-mounted apparatuses according to aninstruction from, for example, a master controller in a motorman's cabnot shown in the figure.

The cameras 13 are set in predetermined positions in the cars 1, forexample, upper door lintel sections of doors and photograph states inthe cars. Data of photographed images and videos are transmitted to theon-car-data recording apparatus 2 at specified timing and stored.

The on-car-data recording apparatus 2 receives data (image data) fromthe cameras 13 in the train, performs an electronic signature, and thenstores the data. The communication apparatus 14 communicates with theground apparatus 3 via a radio transmission path. Note that, in

FIG. 1, a configuration example is shown in which one on-car-datarecording apparatus 2 is mounted on one train. However, a plurality ofon-car-data recording apparatuses 2 can be mounted. For example, theon-car-data recording apparatuses 2 can be mounted in the cars 1 at bothends of the train. The on-car-data recording apparatuses 2 can bemounted one by one in the cars 1.

The ground apparatus 3 generates a pair of keys (a public key and asecret key) used in the electronic signature by the on-car-datarecording apparatus 2. The ground apparatus 3 can include a function ofreceiving, according to necessity, the image data stored in theon-car-data recording apparatus 2 and determining reliability of thedata, that is, whether the data is not altered. Another apparatus (notshown in the figure) other than the ground apparatus 3 can include thefunction of determining the reliability of the data (whether the data isnot altered).

Note that FIG. 1 shows an example in which the train mounted with theon-car-data recording apparatus 2 is one train. However, actually, aplurality of trains mounted with the on-car-data recording apparatuses 2are present. The ground apparatus 3 individually generates a pair of apublic key and a secret key for each of the plurality of trains (in thecase of a configuration in which one on-car-data recording apparatus 2is mounted on one train). When a plurality of on-car-data recordingapparatuses 2 are mounted on one train, the ground apparatus 3 generatespairs of public keys and secret keys as many as the mounted on-car-datarecording apparatuses 2. That is, the ground apparatus 3 individuallygenerates a pair of a public key and a secret key for each of theon-car-data recording apparatuses 2 present in the system.

A certification authority 4 is connected to, for example, a wirednetwork and capable of communicating with the ground apparatus 3. Whenreceiving a request from the ground apparatus 3, the certificationauthority 4 issues an electronic certificate of the public key generatedby the ground apparatus 3.

In the in-train-image data managing system shown in FIG. 1, whenreceiving image data from the camera 13, the on-car-data recordingapparatus 2 adds information concerning a place where a train mountedwith the on-car-data recording apparatus 2 is traveling at that point intime to the image data as train specific information and then performsan electronic signature using the secret key generated by the groundapparatus 3. For example, when predetermined operation is performed by astaff member of a railroad system, the ground apparatus 3 acquires imagedata corresponding to operation content, train specific informationadded before an electronic signature is performed on the image data, andthe electronic signature from the on-car-data recording apparatus 2 anddetermines reliability of the acquired image data on the basis of anelectronic certificate for a public key paired with a secret key used bythe on-car-data recording apparatus 2 at a data acquisition source inperforming the electronic signature and the train specific informationand the electronic signature acquired from the on-car-data recordingapparatus 2.

FIG. 2 is a diagram showing a configuration example of the on-car-datarecording apparatus 2. The on-car-data recording apparatus 2 includes acommunication processing unit 21, a secret-key retaining unit 22, atrain-specific-information managing unit 23, a image data managing unit24, and an electronic-signature generating unit 25.

In the on-car-data recording apparatus 2, the communication processingunit 21 is an interface with the central apparatus 11. The communicationprocessing unit 21 acquires various data managed by the centralapparatus 11 and receives, via the terminals 12 and the centralapparatus 11, as image data, various videos photographed by the cameras13 in the train. The communication processing unit 21 transmits andreceives data to and from the ground apparatus 3 via the centralapparatus 11 and the communication apparatus 14.

The secret-key retaining unit 22 acquires a secret key used in anelectronic signature from the ground apparatus 3 and retains the secretkey.

The train-specific-information managing unit 23 retains informationspecific to the own train (the train mounted with the on-car-datarecording apparatus 2) as train specific information. The train specificinformation is information concerning a traveling place of the owntrain. The train specific information is, for example, a train number, aformation number of the train, identification information (a motormanID) of a motorman, information concerning a traveling route, andinformation concerning a traveling section. Thetrain-specific-information managing unit 23 retains one or two or morekinds of information as train specific information out of these kinds ofinformation. These kinds of information are generally managed by thetrain-information managing apparatus. The train-specific-informationmanaging unit 23 acquires in advance, for example, necessary informationfrom the central apparatus 11 configuring the train-information managingapparatus. The train number is information indicating an operationschedule of the own train. If the train number is known, it is possibleto learn when and where the train given with the train number travels(traveled). The formation number is identification information of thetrain formed by one or more cars. The formation number allocated to thetrain is fixed. When the train is operated, the train number is given tothe train. In the ground apparatus 3 shown in FIG. 1 and an operationmanaging system (not shown in the figure) on the ground side, operationmanagement of the train and crew members (e.g., which train number isallocated to which formation number and which crew member is allocatedto a train having which train number) is performed. If the formationnumber and the motorman ID are known, it is possible to learn when andwhere a train corresponding to the formation number and the motorman IDtravels (or travelled).

Note that the train-specific-information managing unit 23 can acquirethe information such as the train number, the formation number of thetrain, and the motorman ID at timing when the information is necessary,specifically, timing when the electronic-signature generating unit 25explained below generates an electronic signature rather than acquiringthe information in advance. Because crew members of the train sometimeschange in a halfway stop station or the like, when informationconcerning the crew members (the motorman ID, etc.) is used as the trainspecific information, the train specific information retained by thetrain-specific-information managing unit 23 can be changed by acommunication apparatus and a recording medium such as an IC card.

The image data managing unit 24 receives image data transmitted from thecamera 13, adds an electronic signature generated by theelectronic-signature generating unit 25 explained below to the imagedata, and manages the image data.

The electronic-signature generating unit 25 generates, on the basis ofthe train specific information managed by the train-specific-informationmanaging unit 23, an electronic signature added to the image datatransmitted from the camera 13.

FIG. 3 is a diagram showing a configuration example of the groundapparatus 3. The ground apparatus 3 includes a train-side-communicationprocessing unit 31, a network-side-communication processing unit 32, akey managing unit 33, an electronic-certificate managing unit 34, and adata-validity determining unit 35.

In the ground apparatus 3, the train-side-communication processing unit31 communicates with, via, for example, a not-shown antenna, thecommunication apparatus 14 (see FIG. 1) mounted on the train. Thenetwork-side-communication processing unit 32 is connected to, forexample, a wired network and communicates with the certificationauthority 4 and the like on the outside.

The key managing unit 33 generates a pair of a secret key and a publickey used by the on-car-data recording apparatus 2 mounted on the trainin performing an electronic signature on image data in the camera 13.Note that, because the railroad system is configured by a plurality oftrains, the key managing unit 33 individually generates the pair of thesecret key and the public key for each of the plurality of trains.

The electronic-certificate managing unit 34 acquires an electroniccertificate concerning each of public keys generated by the key managingunit 33 from the certification authority 4 and manages the electroniccertificate.

The data-validity determining unit 35 determines whether the image datain the camera 13 retained by the on-car-data recording apparatus 2 isnot altered. Note that an apparatus (another apparatus on the groundside not shown in FIG. 1) different from the ground apparatus 3 caninclude the data-validity determining unit 35. That is, an apparatusother than the ground apparatus 3 can determine validity of the imagedata retained by the on-car-data recording apparatus 2 (whether theimage data is not altered).

The overall operation of the in-train-image data managing system isexplained in detail. Note that, in the following explanation, theoverall operation is divided into three operations, that is, anelectronic-certificate managing operation, an electronic signatureoperation, and an electronic-signature verifying operation.

(Electronic-Certificate Managing Operation)

FIG. 4 is a diagram showing an overview of the electronic-certificatemanaging operation. The electronic-certificate managing operationincludes procedures (1) to (4) shown in FIG. 4. The procedures areexplained below with reference to FIG. 2, FIG. 3, and FIG. 4.

(1) Creation of Key Pairs

In the ground apparatus 3, the key managing unit 33 creates pairs ofpublic keys and secret keys for electronic signature respectivelyallocated to the plurality of on-car-data recording apparatuses 2 in thesystem. The pairs of the public keys and the secret keys are created bya publicly-known creation method for a key for an electronic signature.

(2) Send the Public Keys to a Third-Party Certification Authority

When the creation of the public keys and the secret keys is completed,subsequently, the key managing unit 33 sends the created public keys toa third-party certification authority (equivalent to the certificationauthority 4 shown in FIG. 1) through the network-side-communicationprocessing unit 32.

(3) Issuance (Acquisition) of an Electronic Certificate

When the sending of the public keys to the third-party certificationauthority by the key managing unit 33 is completed, an electroniccertificate for the sent public keys is issued by the third-partycertification authority. The electronic-certificate managing unit 34 ofthe ground apparatus 3 receives and manages the issued electroniccertificate.

(4) Sending of the Secret Keys

The key managing unit 33 sends the secret keys created in (1) above tothe on-car-data recording apparatus 2. In the on-car-data recordingapparatus 2 that receives the sending of the secret keys, the secret-keyretaining unit 22 receives and retains the secret keys. Note that,because the secret keys need to be treated not to be known to theoutside, the sending of the secret keys from the ground apparatus 3 tothe on-car-data recording apparatus 2 is desirably performed by a methodof performing the sending using, for example, a leased line having highsecurity or manually performing the sending using a small memory deviceor the like. The sending operation of the secret keys can be immediatelystarted after the creation of the key pairs in (1) above is completedwithout waiting for (2) and (3) above to be completed.

In the electronic-certificate managing operation explained above, theprocedures other than (4) are the same as issuance of key pairs and anelectronic certificate in a conventional general electronic signaturesystem.

(Electronic Signature Operation)

FIG. 5 is a diagram showing an overview of the electronic signatureoperation. The electronic signature operation includes procedures (1) to(3) shown in FIG. 5. When image data is transmitted from the imagepickup apparatus, which is the camera 13 shown in FIG. 1, theon-car-data recording apparatus 2 executes the electronic signatureoperation and then stores the image data. The procedures are explainedbelow with reference to FIG. 2 and FIG. 5.

(1) Transmission of Image Data (Acquisition of Image Data)

The image pickup apparatuses (the cameras 13) set in the cars of thetrain photograph states in the cars. When predetermined timingdetermined in advance comes, the image pickup apparatuses transmit imagedata to the on-car-data recording apparatus 2. For example, when a sizeof the image data reaches a specified size (equivalent to n frames ofimage data) or when a photographing time reaches a specified time (everytime the image pickup apparatuses perform photographing for x seconds),the image pickup apparatuses transmit the image data to the on-car-datarecording apparatus 2. Note that it is assumed that informationconcerning photographing date and time (e.g., one or both ofphotographing start time and photographing end time) is included in theimage data.

(2) Generation of a Hash Value Corresponding to the Acquired Image Data

When the image data is transmitted from the image pickup apparatuses, inthe on-car-data recording apparatus 2, first, the electronic-signaturegenerating unit 25 receives the image data, adds train specificinformation to the received image data and calculates a hash value ofthe image data added with the train specific information.

(3) Generation of an Electronic Signature

When the calculation of the hash value ends, subsequently, theelectronic-signature generating unit 25 generates an electronicsignature on the image data added with the train specific informationusing the calculated hash value and the secret keys retained in thesecret-key retaining unit 22. The generated electronic signature isretained by the image data managing unit 24 together with the imagedata. Note that the hash value can be discarded after the generation ofthe electronic signature ends.

FIG. 6 is a flowchart for explaining an operation example of theon-car-data recording apparatus 2. The on-car-data recording apparatus 2performs an electronic signature on image data according to theflowchart shown in FIG. 6.

That is, first, the electronic-signature generating unit 25 acquires,through the communication processing unit 21, image data transmittedfrom the image pickup apparatuses (step S11). Subsequently, theelectronic-signature generating unit 25 acquires the train specificinformation managed by the train-specific-information managing unit 23(step S12). The electronic-signature generating unit 25 adds the trainspecific information acquired at step S12 to the image data acquired atstep S11 and creates integrated data (step S13). Theelectronic-signature generating unit 25 further calculates a hash valueof the integrated data (step S14) and generates an electronic signatureof the integrated data using the calculated hash value and the secretkeys retained by the secret-key retaining unit 22 (step S15). The imagedata managing unit 24 stores the image data acquired at step S11 and theelectronic signature calculated at step S15 in association with eachother (step S16).

(Electronic-Signature Verifying Operation)

FIG. 7 is a diagram showing an overview of the electronic-signatureverifying operation. The electronic-signature verifying operationincludes procedures (1) to (4) shown in FIG. 7. For example, whenreceiving, from the outside, operation for instructing a verificationstart of the image data recorded in the on-car-data recording apparatus2, the ground apparatus 3 executes the electronic-signature verifyingoperation. The procedures are explained below with reference to FIG. 2,FIG. 3, and FIG. 7.

(1) Acquisition of Verification Target Data

When the verification start of the image data is instructed, in theground apparatus 3, first, the data-validity determining unit 35acquires verification data indicated by instruction content from theon-car-data recording apparatus 2. It is assumed that the instructioncontent includes information concerning verification target data, thatis, information indicating which image data retained by the on-car-datarecording apparatus 2 mounted on which train the verification data is(when the verification data is photographed) (information of theon-car-data recording apparatus). It is assumed that the instructioncontent includes, for example, information indicating image data at AAmonth, BB day, hh hour, mm minute in a train having a train number XX.The data-validity determining unit 35 acquires, according to necessity,from a train-operation managing system or the like, informationconcerning a train formation operated as the train having the trainnumber XX at a point in time of AA month, BB day, hh hour, mm minute andthen acquires photographing data at the date and time from theon-car-data recording apparatus 2 mounted on a train corresponding tothe information of the train formation. The data-validity determiningunit 35 acquires an electronic signature associated with the image dataas well.

(2) Generation of a First Hash Value

Subsequently, the data-validity determining unit 35 acquires trainspecific information same as the train specific information used duringthe electronic signature generation for the acquired image data from thetrain-information managing apparatus (the central apparatus 11) andfurther generates a hash value using the acquired image data and theacquired train specific information.

Specifically, as in the electronic signature operation in theon-car-data recording apparatus 2, the data-validity determining unit 35adds the train specific information to the image data and calculates, asa first hash value, a hash value (a hash #1a shown in the figure) ofintegrated data obtained as a result of the addition of the trainspecific information (image data added with the train specificinformation). Note that the train specific information can be acquiredfrom the train-specific-information managing unit 23 of the on-car-datarecording apparatus 2 rather than from the train-information managingapparatus.

(3) Generation of a Second Hash Value (restoration of a hash value basedon an electronic signature)

The data-validity determining unit 35 restores, as a second hash value,a hash value (a hash #1b shown in the figure) from the electronicsignature acquired from the on-car-data recording apparatus 2 and theelectronic certificate managed by the electronic-certificate managingunit 34.

(4) Validity Determination of Image Data

Subsequently, the data-validity determining unit 35 compares the firsthash value and the second hash value and, when both the hash valuescoincide with each other, determines that the image data is valid (i.e.,not altered).

FIG. 8 is a flowchart for explaining an example of an imagedata-validity determining operation (an electronic-signature verifyingoperation) in the data-validity determining unit 35 of the groundapparatus 3. The data-validity determining unit 35 determines, accordingto the flowchart shown in FIG. 8, whether image data is valid image datanot altered.

That is, first, the data-validity determining unit 35 acquiresdetermination target image data and an electronic signaturecorresponding to the image data from the on-car-data recording apparatus2 (step S21). Subsequently, the data-validity determining unit 35acquires, from the on-car-data recording apparatus 2, train specificinformation corresponding to date and time information included in theacquired image data (step S22). The data-validity determining unit 35calculates a hash value A (the first hash value) using the acquiredimage data and the acquired train specific information (step S23).Specifically, the data-validity determining unit 35 adds the trainspecific information to the image data to create integrated data andcalculates a hash value of the integrated data. Subsequently, thedata-validity determining unit 35 restores a hash value B (the secondhash value) on the basis of, among electronic certificates retained bythe electronic-certificate managing unit 34, an electronic certificatecorresponding to the image data, that is, an electronic certificatecorresponding to a public key paired with a secret key used by theon-car-data recording apparatus 2 used by the on-car-data recordingapparatus 2 at an acquisition source of the image data, and theelectronic signature acquired at step S21 (step S24). Finally, thedata-validity determining unit 35 compares the hash value A and the hashvalue B (step S25). If the hash value A=the hash value B as a result ofthe comparison, the data-validity determining unit 35 determines thatthe image data set as the determination target (the image data acquiredat step S21) is valid data.

In this way, the on-car-data recording apparatus in this embodimentacquires data (image data) photographed by each of the cameras set inthe cars of the train, adds train specific information, which isinformation concerning a place where the own train is traveling at apoint in time when the data is acquired, to the image data, thengenerates an electronic signature of the image data added with the trainspecific information, and retains the image data and the electronicsignature. Consequently, it is possible to discriminate whether theretained image data is not altered and manage the image data and dataconcerning a photographing place of the image data in association witheach other. That is, it is possible to store the image data in a statein which it is possible to specify when and where the data isphotographed. For example, to falsify a photographing place, the trainspecific information is necessary in addition to the image data and thesecret key. Therefore, it is possible to improve robustness of thestored data. When a plurality of kinds of information are used as thetrain specific information, it is possible to further improve therobustness.

INDUSTRIAL APPLICABILITY

As explained above, the on-car-data recording apparatus according to thepresent invention is useful as a recording apparatus for dataphotographed by an image pickup apparatus and, in particular, suitablefor an apparatus for recording image data by an image pickup apparatusset in a train.

REFERENCE SIGNS LIST

-   1 car-   2 on-car-data recording apparatus-   3 ground apparatus-   4 certification authority-   11 central apparatus-   12 terminal-   13 camera-   14 communication apparatus-   21 communication processing unit-   22 secret-key retaining unit-   23 train-specific-information managing unit-   24 image data managing unit-   25 electronic-signature generating unit-   31 train-side-communication processing unit-   32 network-side-communication processing unit-   33 key managing unit-   34 electronic-certificate managing unit-   35 data-validity determining unit

1. An on-car-data recording apparatus mounted on a train to record imagedata, which is data of a video or an image photographed by an imagepickup apparatus set in the train, the on-car-data recording apparatuscomprising: a secret-key retaining unit that retains a secret key pairedwith a public key for electronic signature for which certification by acertification authority is completed; a train-specific-informationmanaging unit that manages information specific to the own train capableof specifying a traveling position of the own train; anelectronic-signature generating unit that integrates, every time theimage data is generated by the image pickup apparatus, the generatedimage data and train specific information, which is the informationmanaged by the train-specific-information managing unit, calculates ahash value of obtained integrated data, and generates an electronicsignature on the basis of the calculated hash value and the secret key;and an image data managing unit that retains the electronic signaturegenerated by the electronic-signature generating unit and the image dataused in generating the electronic signature in association with eachother, wherein the train-specific-information managing unit acquires thetrain specific information at timing when the electronic signature isgenerated.
 2. The on-car-data recording apparatus according claim 1,wherein the information specific to the own car includes any one of atrain number, a formation number of the train, identificationinformation of a motorman, information concerning a traveling route, andinformation concerning a traveling section.
 3. The on-car-data recordingapparatus according claim 1, wherein the information specific to the owncar includes two or more of a train number, a formation number of thetrain, identification information of a motorman, information concerninga traveling route, and information concerning a traveling section.
 4. Anin-train-image data managing system comprising: an on-car-data recordingapparatus mounted on a train to record image data, which is data of avideo or an image photographed by an image pickup apparatus set in thetrain; and a ground apparatus set on a ground to determine presence orabsence of alteration for the image data recorded by the on-car-datarecording apparatus, wherein the ground apparatus includes: a keymanaging unit that generates a public key and a secret key used in anelectronic signature on the image data, requests a certificationauthority to certify the generated public key, and passes the secret keyto the on-car-data recording apparatus; an electronic-certificatemanaging unit that manages an electronic certificate issued to thepublic key by the certification authority; and a data-validitydetermining unit that determines, on the basis of the electroniccertificate, presence or absence of alteration for the image datarecorded by the on-car-data recording apparatus, and the on-car-datarecording apparatus includes: a secret-key retaining unit that acquiresthe secret key from the ground apparatus and retains the secret key; atrain-specific-information managing unit that manages informationspecific to the own train capable of specifying a traveling position ofthe own train; an electronic-signature generating unit that integrates,every time the image data is generated by the image pickup apparatus,the generated image data and train specific information, which is theinformation managed by the train-specific-information managing unit,calculates a hash value of obtained integrated data, and generates anelectronic signature on the basis of the calculated hash value and thesecret key; and a image data managing unit that retains the electronicsignature generated by the electronic-signature generating unit and theimage data used in generating the electronic signature in associationwith each other, wherein the train-specific-information managing unitacquires the train specific information at timing when the electronicsignature is generated.
 5. The in-train-image data managing systemaccording to claim 4, wherein the data-validity determining unitacquires any one image data retained by the image data managing unit andan electronic signature associated with the image data and the trainspecific information managed by the train-specific-information managingunit, compares a hash value of integrated data obtained by adding thetrain specific information to the acquired image data and a hash valuerestored on the basis of the acquired electronic signature and theelectronic certificate and determines presence or absence of alterationfor the acquired image data.
 6. The in-train-image data managing systemaccording to claim 4, wherein the information specific to the own carincludes any one of a train number, a formation number of the train,identification information of a motorman, information concerning atraveling route, and information concerning a traveling section.
 7. Thein-train-image data managing system according to claim 4, wherein theinformation specific to the own car includes two or more of a trainnumber, a formation number of the train, identification information of amotorman, information concerning a traveling route, and informationconcerning a traveling section.